fips: add functions to inspect thread-local FIPS operation state

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'tmp-2022-gtkdoc' into 'master'

Fix gtk-doc build, Debian bug #1003075

See merge request gnutls/gnutls!1507

Drop unquoted angle brackets in gtk-doc comment.

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Fix gtk-doc build, use http URI in sgml master.

Signed-off-by: Andreas Metzler <ametzler@bebt.de>

Merge branch 'p11tool-always-auth' into 'master'

p11tool: add --mark-always-authenticate option

See merge request gnutls/gnutls!1504

p11tool: add --mark-always-authenticate option

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

Merge branch 'copyright' into 'master'

doc: updated copyrights for 2022

See merge request gnutls/gnutls!1505

doc: updated copyrights for 2022

Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com>

accelerated: fix CPU feature detection for Intel CPUs

This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
CPUs.

Suggested by Rafael Gieschke in:
https://gitlab.com/gnutls/gnutls/-/issues/1282

Signed-off-by: Daiki Ueno <ueno@gnu.org>

padlock: reset _gnutls_x86_cpuid_s only after padlock check succeeds

Otherwise it clears _gnutls_x86_cpuid_s which may already hold valid
CPUID detected for Intel and AMD CPUs.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/nettle-hash' into 'master'

wrap_nettle_hash_fast: avoid calling _update with zero-length input

See merge request gnutls/gnutls!1503

Merge branch 'wip/dueno/hash-copy-doc' into 'master'

gnutls_{hash,hmac}_copy: mention the functions do not always work

See merge request gnutls/gnutls!1502

wrap_nettle_hash_fast: avoid calling _update with zero-length input

As Nettle's hash update functions internally call memcpy, providing
zero-length input may cause undefined behavior.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

gnutls_{hash,hmac}_copy: mention the functions do not always work

It is known that some built-in accelerated implementation, such as
AF_ALG, does not support copying hash/hmac contexts.  This expands the
documentation to suggest checking the return value of those functions.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: extend system-override-curves-allowlist with key generation

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

tests: tweak system-override-curves-allowlist insignificantly

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'tpm2-dep-correction' into 'master'

README: document tpm2-tss-engine test dependency

See merge request gnutls/gnutls!1498

README: document tpm2-tss-engine test dependency

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'ktls_api' into 'master'

ktls: API

See merge request gnutls/gnutls!1477

Merge branch 'aarch64-sha384' into 'master'

use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384

See merge request gnutls/gnutls!1497

use sha384_digest in lib/accelerated/aarch64/sha-aarch64.c sha384

Mirrors https://gitlab.com/gnutls/gnutls/-/merge_requests/1466

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

ktls: flags

ktls enum flags API

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

KTLS: API

ktls is enabled by default, we can check if inicialization was
succesfull with gnutls_transport_is_ktls_enabled

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Merge branch 'fix-asan-out-of-tree' into 'master'

tests: fix out of tree builds with ASAN

See merge request gnutls/gnutls!1496

Merge branch 'wip/dueno/sct' into 'master'

Minor cleanup on the new X509 CT code

See merge request gnutls/gnutls!1495

.gitignore: ignore tests/x509cert-ct

Signed-off-by: Daiki Ueno <ueno@gnu.org>

X509 CT: defer filling in the length field

This eliminates the need of precalculating the payload size, to make
it easier to adapt to new format.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

tests: fix out of tree builds with ASAN

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'test-allowlisting-proto-tcp' into 'master'

test for gnutls_protocol_set_enabled, TCP

See merge request gnutls/gnutls!1494

tests: add protocol-set-allowlist

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

tests: add tcp_connect to utils

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

X509 CT: use size_t for array index instead of unsigned

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'aja-certificate-transparency' into 'master'

Read Certificate Transparency (RFC 6962) SCT extension

Closes #232

See merge request gnutls/gnutls!1367

Update symbols

Signed-off-by: Ander Juaristi <a@juaristi.eus>

devel: Suppress new API functions

Signed-off-by: Ander Juaristi <a@juaristi.eus>

x509 CT: Add tests

Signed-off-by: Ander Juaristi <a@juaristi.eus>

x509 CT: implement new public API

This commit implements import and export functions for the X.509
Certificate Transparency Signed Certificate Timestamp (SCT) extension
(RFC 6962).

A new constant GNUTLS_X509EXT_OID_CT_SCT is introduced
with the value "1.3.6.1.4.1.11129.2.4.2".

The following new public API functions are introduced:

    - gnutls_x509_ext_ct_scts_init
    - gnutls_x509_ext_ct_scts_deinit
    - gnutls_x509_ext_ct_import_scts
    - gnutls_x509_ext_ct_export_scts
    - gnutls_x509_ct_sct_get_version
    - gnutls_x509_ct_sct_get

Signed-off-by: Ander Juaristi <a@juaristi.eus>

Merge branch 'wip/dueno/abi-check-latest' into 'master'

build: stop running abi-dump-latest at "make files-update"

See merge request gnutls/gnutls!1491

devel/libgnutls.abignore: ignore drbg_aes_* functions

These functions are only defined when compiled with
--enable-fips140-mode.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/config-allowlisting' into 'master'

priority: support allowlisting in configuration file

Closes #1172

See merge request gnutls/gnutls!1427

priority: support allowlisting in configuration file

This adds a new mode of interpreting the [overrides] section.  If
"override-mode" is set to "allowlisting" in the [global] section, all
the algorithms (hashes, signature algorithms, curves, and versions)
are initially marked as insecure/disabled.  Then the user can enable
them by specifying allowlisting keywords such as "secure-hash" in the
[overrides] section.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
Co-authored-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'wip/dueno/valgrind-tests' into 'master'

build: update to use the latest valgrind-tests module from Gnulib

Closes #1253

See merge request gnutls/gnutls!1488

CONTRIBUTING.md: clarify how to introduce new API

Signed-off-by: Daiki Ueno <ueno@gnu.org>

release-steps: "make abi-dump-latest" at release time

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: stop running abi-dump-latest at "make files-update"

The procedure of registering ABI updates has changed in
bd3c78b9d10937adb1855b85bca1864972a1c986.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

build: update to use the latest valgrind-tests module from Gnulib

This adjust the existing valgrind invocations in the test suite with:
https://www.gnu.org/software/gnulib/manual/html_node/Valgrind-options.html

- make --suppressions option to per directory, using AM_VALGRINDFLAGS
- use LOG_VALGRIND for LOG_COMPILER
- quote '$(LOG_VALGRIND)' in TESTS_ENVIRONMENT
- move gl_VALGRIND_TESTS_DEFAULT_NO call before gl_INIT

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'fix_non_vla_02' into 'master'

sockets: fixed building for Windows with compilers without VLA support (alternative version)

See merge request gnutls/gnutls!1490

sockets: fixed compiler warning on Windows x32

Signed-off-by: Evgeny Grin <k2k@narod.ru>

sockets: fixed building for Windows with compilers without VLA support

Signed-off-by: Evgeny Grin <k2k@narod.ru>

priority: refactor config file parsing

This adds the following refactoring:

- avoid side-effects during parsing the config file, by separating
  application phase; the parsed configuration can be applied globally
  with cfg_apply, after validation
- make _gnutls_*_mark_{disabled,insecure} take an ID instead of the
  name

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/thr' into 'master'

locks: couple of improvements using Gnulib glthread

See merge request gnutls/gnutls!1485

locks: deprecate gnutls_global_set_mutex

As the library now uses static mutexes, rwlocks, and onces, it doesn't
make much sense to only replace dynamic mutex usage.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

locks: use once execution for on-demand initialization of globals

This makes sure that the global variables are initialized only once.
Most of those variables are initialized at ELF constructor, though a
couple of occasions they are initialized on-demand: the global keylog
file pointer and TPM2 TCTI context.  To properly protect the
initialization this patch uses gl_once provided by Gnulib.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

locks: rework rwlock primitives

Remove GNUTLS_STATIC_RWLOCK_*LOCK macros and respect return values of
rwlock primitives.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

pkcs11: switch to using static mutex

Signed-off-by: Daiki Ueno <ueno@gnu.org>

verify-tofu: switch to using static mutex for locking

Signed-off-by: Daiki Ueno <ueno@gnu.org>

locks: replace custom mutex wrappers with "glthread/lock.h"

As Gnulib provides portability wrappers of mutex implementations, we
don't need to provide similar wrappers by ourselves.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/tpm2' into 'master'

Port openconnect TPM2 code

Closes #594

See merge request gnutls/gnutls!1460

Port openconnect TPM2 code

This introduces transparent loading of TPM2 keys which are in PEM
form by gnutls_privkey_import_x509_raw() and higher level functions
which wrap it.

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Co-authored-by: David Woodhouse <dwmw2@infradead.org>
Co-authored-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'abs-top-builddir-fix' into 'master'

tests: pass $abs_top_builddir more consistently

See merge request gnutls/gnutls!1484

tests: set $abs_top_builddir in more places

`$abs_top_builddir` has been used all across tests' subdirectories
(through tests/scripts/common.sh)
but has only been defined for tests/suite/ ones.
Defining it in other Makefiles where `top_builddir` is being passed.

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'wip/dueno/system_wide_priority_strings_init' into 'master'

priority: rework config reloading logic and locking

See merge request gnutls/gnutls!1483

priority: rework config reloading logic and locking

The previous reloading logic relied on the existence of [priority]
section (in the initial loading) as an indicator whether the file is
loaded.  This didn't work well in the following cases:
- when the section didn't exist initially and then is added later
- when the section existed initially and then is removed later
To handle these cases, this change adds a new flag
system_priority_file_loaded which can be used together with the mtime
check.

This also adds an rwlock to protect global configuration.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Revert "priority: fix potential race in reloading system-wide config"

This reverts commit 890c6937a3cfb4a0704bc815324221ec4cb89840.
Considering the entire logic around reloading the config file, the fix
was suboptimal.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/abi-dump-release' into 'master'

devel: update release procedure taking into account of abi-dump

See merge request gnutls/gnutls!1481

Merge branch 'wip/dueno/priority-race' into 'master'

priority: fix potential race in reloading system-wide config

See merge request gnutls/gnutls!1482

priority: fix potential race in reloading system-wide config

_gnutls_update_system_priorities is called from gnutls_priority_set*
functions every time when the SYSTEM keyword is used and updates a
global variable system_wide_priority_strings if the configuration
changes.  Although the critical path is protected with mtime check, it
should also hold a lock to avoid occasional race condition in
multi-thread programs.  This also clears
system_wide_priority_strings_init upon unloading and before reloading
the config file (thanks to Alexander Sosedkin).

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/asosedki/gitlab-ci-speed-up-cppcheck' into 'master'

.gitlab-ci.yml: add caching to cppcheck

See merge request gnutls/gnutls!1480

.gitlab-ci.yml: add caching to cppcheck

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

devel: update release procedure taking into account of abi-dump

As the *.abi files have been moved into a separate repository, we need
an extra step to update the repository for new release.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/asosedki/hash-filters-prf' into 'master'

make insecure-hash filter out ciphersuites on ->prf as well

See merge request gnutls/gnutls!1479

NEWS: add a notice of insecure-hash filtering ciphersuites on PRF

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

tests: add system-override-hash-influences-prf

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

priority: filter out ciphersuites with prf blocked by insecure-hash

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

priority: refactor ciphersuite filtering

Signed-off-by: Alexander Sosedkin <asosedkin@redhat.com>

Merge branch 'ktls' into 'master'

ktls: basic implementation of SW mode

See merge request gnutls/gnutls!1451

ktls: basic implementation of SW mode

ktls enables us to offload encryption/decryption to the kernel

prerequisites:
- configured with `--enable-ktls`
- tls module `modprobe tls` check with 'lsmod | grep tls'
- per connection:
gnutls_transport_set_int{2} must be set

When prerequisities are met then ktls is used by default.

If GnuTLS encounters a error during KTLS initialization, it will
not use ktls and fallback to userspace.

Signed-off-by: Frantisek Krenzelok <krenzelok.frantisek@gmail.com>

Merge branch 'wip/dueno/abi-dump' into 'master'

devel: move .abi files into a separate repository

See merge request gnutls/gnutls!1478

devel: make use of abidw --drop-private-types

This will produce more compact abixml output.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

devel: move .abi files into a separate repository

Changes to the .abi files are a bit too noisy to track in the main
repository.  This moves the files out of this repository and embed it
as a git submodule.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'mingw64-detection' into 'master'

fix mingw64 detection

See merge request gnutls/gnutls!1476

fix mingw64 detection

__MINGW64__ is only defined for 64 bits builds of mingw64 [1].
The intended test what to only use the CertEnumCRLsInStoreFunc via LoadLibrary
for some ancient mingw32 build and never for mingw64.

__MINGW64_VERSION_MAJOR is a proper define to identify mingw64 against mingw32.

[1] https://sourceforge.net/p/predef/wiki/Compilers/

Co-authored-by: Johannes Kauffmann <johanneskauffmann@hotmail.com>
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>

Merge branch 'x25519-and-x448' into 'master'

certtool: generate, parse, and manipulate X25519 and X448 pubkeys, privkeys, and certificates

See merge request gnutls/gnutls!1428

Merge branch 'wip/dueno/shake' into 'master'

wrap_nettle_hash_exists: add missing hash algorithms

See merge request gnutls/gnutls!1473

wrap_nettle_hash_exists: add missing hash algorithms

This adds SHAKE-128, SHAKE-256, and RIPEMD-160 to the supported
algorithms by nettle.  While SHAKEs are not a hash algorithm but an
XOF, it would be consistent to report they are implemented.

The simple test is expanded to exercise the code
path (gnutls_digest_get_id → wrap_nettle_hash_exists).

Signed-off-by: Daiki Ueno <ueno@gnu.org>

Merge branch 'wip/dueno/oss-fuzz-focal' into 'master'

fuzz: explicitly supply LDFLAGS to clang++ command line

See merge request gnutls/gnutls!1474

fuzz: explicitly supply LDFLAGS to clang++ command line

This prevented fuzzer programs being linked in Ubuntu 20.03, used in
oss-fuzz.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

lib/x509: Avoid memcpy when string is empty

This fixes an ASAN warning in fuzz/gnutls_private_key_parser_fuzzer
when run against the malformed private key
fuzz/gnutls_private_key_parser_fuzzer.in/10a5c92fa30ddb6cbb4286d7699b2b7a7e032b17

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

NEWS: added news about certtool handling x448 and x25519

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

tests: add test for generating x25519 and x448 certificates

These certs should work just fine for the purposes of cryptographic
e-mail (S/MIME).

These usage flags are also used in the end-entity certificates found
in https://datatracker.ietf.org/doc/draft-ietf-lamps-samples/

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

tests: update details about sample X25519 certificate

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

certtool: add x448 and x25519 for --key-type

This is a simple extension of the certtool command-line interface.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

certtool: when making X25519 or X448 certs, always use "key agreement"

This is related to #1227 -- but in this case, it's enforcing a
requirement of RFC 8410 §5.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

x509: handle X25519 and X448 in read_pubkey

_gnutls_x509_read_ecdh_pubkey is basically a clone of
_gnutls_x509_read_eddsa_pubkey.  Another form of implementation
would be to collapse these two static functions into a common
function for all "CFRG" curves.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

nettle: handle X25519 and X448 in pk_fixup

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

x509: enable importing secret keys for X448 and X25519.

_decode_pkcs8_modern_ecdh_key is virtually the same as
_decode_pkcs8_eddsa_key.  Another implementation would be
to collapse these two functions into one, since their structure
is identical.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Enable X25519 and X448 everywhere that EdDSA is supported.

These are just trivial extension points where the codepath is the same
for the ECDH scheme as it is for the EdDSA scheme.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

x509: handle X448 and X25519 in write_pubkey

This uses the same structure as _gnutls_x509_write_eddsa_pubkey.

Another way to write this would be to combine those two functions,
despite X448 and X25519 not being EdDSA at all.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

pubkey: handle X25519 and X448 in gnutls_pubkey_import_pkcs11

I am not confident in the strings I chose to match on in
ASN1_ETYPE_PRINTABLE_STRING, in that I do not know what registry
I should look this up in.

The *parse_ecc_ecdh_params and *import_ecc_ecdh functions are tweaked
analogs to the eddsa versions of those functions.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

nettle: extend pk_verify_priv_params to handle X25519 and X448

This is basically a copy of the EdDSA case in the switch statement.

Another way to implement it would be to augment the EdDSA case (and
the functions it uses) to have that case also handle ECDH use of the
CFRG curves.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>